[Bro] Finer detail on mime types
Seth Hall
seth at corelight.com
Mon Jul 10 13:09:07 PDT 2017
That is a bit of an overloaded mime-type I'm afraid. We did build the
files framework in Bro so that it could be extended to provide quite a
bit of extra information when the file is "sniffed". The primary
problem that we'd have with providing that information at the moment
is lack of a way to analyze excel files.
.Seth
On Fri, Jul 7, 2017 at 4:11 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> So in looking at xlsm/docm files I noticed this...where bro says:
>
> application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
>
> but the pcap says:
>
> application/vnd.ms-excel.sheet.macroenabled.12
>
> Is there a way to fine tune this in bro? Identifying files flying
> around with macros would be wonderful...thank you.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
More information about the Bro
mailing list